njrat | 2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44

General

Target

2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exe
Size

265KB
MD5

651d5e0fa9831d092405b3ba6df39630
SHA1

520b5f8065faf48f5be9cd12b6790a5d08f24a30
SHA256

2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44
SHA512

2b27f11458d71210cd119eb879ec5280a5711bb379c9d8eb28d39892ed007c2f0e92dcb18234b581111a81abd2c1ceb98cccac6bf15b57bef784b237c7e2507f
SSDEEP

6144:lz+92mhAMJ/cPl3it8jT1cACTfgjdkA3Hj+6iTHpK1MiIa+HzS:lK2mhAMJ/cPlAK1kfgjdkA30K1MigH+

Score

10^/10

njrat h evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

H

C2

tmeemwtr68.no-ip.biz:1168

Mutex

8fec47ea2031d7c684beb0d0a36361b8

Attributes

reg_key
8fec47ea2031d7c684beb0d0a36361b8
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 4 IoCs

Processes:

2.2.exe2.2.exewinlogon.exewinlogon.exe

pid process

748 2.2.exe
3088 2.2.exe
2616 winlogon.exe
2160 winlogon.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

3376 netsh.exe

pid	process
748	2.2.exe
3088	2.2.exe
2616	winlogon.exe
2160	winlogon.exe

pid	process
3376	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2.2.exe2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	2.2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winlogon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8fec47ea2031d7c684beb0d0a36361b8 = "\"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\" .."	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8fec47ea2031d7c684beb0d0a36361b8 = "\"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\" .."	winlogon.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2.2.exewinlogon.exe

description	pid	process	target process
PID 748 set thread context of 3088	748	2.2.exe	2.2.exe
PID 2616 set thread context of 2160	2616	winlogon.exe	winlogon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2.2.exewinlogon.exewinlogon.exe

description pid process

Token: SeDebugPrivilege 748 2.2.exe
Token: SeDebugPrivilege 2616 winlogon.exe
Token: SeDebugPrivilege 2160 winlogon.exe

description	pid	process
Token: SeDebugPrivilege	748	2.2.exe
Token: SeDebugPrivilege	2616	winlogon.exe
Token: SeDebugPrivilege	2160	winlogon.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exe2.2.exe2.2.exewinlogon.exewinlogon.exe

description	pid	process	target process
PID 4652 wrote to memory of 748	4652	2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exe	2.2.exe
PID 4652 wrote to memory of 748	4652	2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exe	2.2.exe
PID 4652 wrote to memory of 748	4652	2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exe	2.2.exe
PID 748 wrote to memory of 3088	748	2.2.exe	2.2.exe
PID 748 wrote to memory of 3088	748	2.2.exe	2.2.exe
PID 748 wrote to memory of 3088	748	2.2.exe	2.2.exe
PID 748 wrote to memory of 3088	748	2.2.exe	2.2.exe
PID 748 wrote to memory of 3088	748	2.2.exe	2.2.exe
PID 3088 wrote to memory of 2616	3088	2.2.exe	winlogon.exe
PID 3088 wrote to memory of 2616	3088	2.2.exe	winlogon.exe
PID 3088 wrote to memory of 2616	3088	2.2.exe	winlogon.exe
PID 2616 wrote to memory of 2160	2616	winlogon.exe	winlogon.exe
PID 2616 wrote to memory of 2160	2616	winlogon.exe	winlogon.exe
PID 2616 wrote to memory of 2160	2616	winlogon.exe	winlogon.exe
PID 2616 wrote to memory of 2160	2616	winlogon.exe	winlogon.exe
PID 2616 wrote to memory of 2160	2616	winlogon.exe	winlogon.exe
PID 2160 wrote to memory of 3376	2160	winlogon.exe	netsh.exe
PID 2160 wrote to memory of 3376	2160	winlogon.exe	netsh.exe
PID 2160 wrote to memory of 3376	2160	winlogon.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exe
"C:\Users\Admin\AppData\Local\Temp\2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4652

C:\2.2.exe
"C:\2.2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748

C:\2.2.exe
C:\2.2.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3088

C:\Users\Admin\AppData\Roaming\winlogon.exe
"C:\Users\Admin\AppData\Roaming\winlogon.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616

C:\Users\Admin\AppData\Roaming\winlogon.exe
C:\Users\Admin\AppData\Roaming\winlogon.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\winlogon.exe" "winlogon.exe" ENABLE
6⤵
- Modifies Windows Firewall
PID:3376

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2.2.exe
Filesize
358KB

MD5
f6a7b89889b271060d09088fb033d117

SHA1
4d60cc74a57ebe6740777ae0f3018c7c2128d79a

SHA256
7f7351382ad6ffd823dc455a9e97e6eb6efb909def51fec64b73d33f77ad0940

SHA512
b477b08c6c42f04a5d846ebd573bed10fbdd963e54dd7d69dc12f3040542ecf0fbe35df1c1c41e9788c8bafb8d9789148a604be6adc1053c4c72885b408b3169

Download Submit
C:\2.2.exe
Filesize
358KB

MD5
f6a7b89889b271060d09088fb033d117

SHA1
4d60cc74a57ebe6740777ae0f3018c7c2128d79a

SHA256
7f7351382ad6ffd823dc455a9e97e6eb6efb909def51fec64b73d33f77ad0940

SHA512
b477b08c6c42f04a5d846ebd573bed10fbdd963e54dd7d69dc12f3040542ecf0fbe35df1c1c41e9788c8bafb8d9789148a604be6adc1053c4c72885b408b3169

Download Submit
C:\2.2.exe
Filesize
358KB

MD5
f6a7b89889b271060d09088fb033d117

SHA1
4d60cc74a57ebe6740777ae0f3018c7c2128d79a

SHA256
7f7351382ad6ffd823dc455a9e97e6eb6efb909def51fec64b73d33f77ad0940

SHA512
b477b08c6c42f04a5d846ebd573bed10fbdd963e54dd7d69dc12f3040542ecf0fbe35df1c1c41e9788c8bafb8d9789148a604be6adc1053c4c72885b408b3169

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2.2.exe.log
Filesize
418B

MD5
89c8a5340eb284f551067d44e27ae8dd

SHA1
d2431ae25a1ab67762a5125574f046f4c951d297

SHA256
73ca1f27b1c153e3405856ebe8b3c6cdd23424d2ab09c0fe1eb0e2075513057b

SHA512
b101ac2e008bd3cc6f97fedb97b8253fb07fed1c334629ecbebe0f4942ccc1070491cddc4daea521164543b6f97ba9b99d2be1c50cc5a013f04e697fea9dbdac

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon.exe
Filesize
358KB

MD5
f6a7b89889b271060d09088fb033d117

SHA1
4d60cc74a57ebe6740777ae0f3018c7c2128d79a

SHA256
7f7351382ad6ffd823dc455a9e97e6eb6efb909def51fec64b73d33f77ad0940

SHA512
b477b08c6c42f04a5d846ebd573bed10fbdd963e54dd7d69dc12f3040542ecf0fbe35df1c1c41e9788c8bafb8d9789148a604be6adc1053c4c72885b408b3169

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon.exe
Filesize
358KB

MD5
f6a7b89889b271060d09088fb033d117

SHA1
4d60cc74a57ebe6740777ae0f3018c7c2128d79a

SHA256
7f7351382ad6ffd823dc455a9e97e6eb6efb909def51fec64b73d33f77ad0940

SHA512
b477b08c6c42f04a5d846ebd573bed10fbdd963e54dd7d69dc12f3040542ecf0fbe35df1c1c41e9788c8bafb8d9789148a604be6adc1053c4c72885b408b3169

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon.exe
Filesize
358KB

MD5
f6a7b89889b271060d09088fb033d117

SHA1
4d60cc74a57ebe6740777ae0f3018c7c2128d79a

SHA256
7f7351382ad6ffd823dc455a9e97e6eb6efb909def51fec64b73d33f77ad0940

SHA512
b477b08c6c42f04a5d846ebd573bed10fbdd963e54dd7d69dc12f3040542ecf0fbe35df1c1c41e9788c8bafb8d9789148a604be6adc1053c4c72885b408b3169

Download Submit
memory/748-136-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/748-140-0x0000000007EE0000-0x0000000007F7C000-memory.dmp

Filesize
624KB

Download
memory/748-139-0x0000000005800000-0x000000000580A000-memory.dmp

Filesize
40KB

Download
memory/748-138-0x0000000005810000-0x00000000058A2000-memory.dmp

Filesize
584KB

Download
memory/748-137-0x0000000005D20000-0x00000000062C4000-memory.dmp

Filesize
5.6MB

Download
memory/748-133-0x0000000000000000-mapping.dmp

Download
memory/2160-147-0x0000000000000000-mapping.dmp

Download
memory/2616-144-0x0000000000000000-mapping.dmp

Download
memory/3088-142-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3088-141-0x0000000000000000-mapping.dmp

Download
memory/3376-150-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads